Jamf Nation Community

Seansmith · ‎05-03-2022

Today we released Jamf Connect 2.12.0 for general availability; this release includes the below details.

Key Feature Content

Login window enhancements which include: 

[PI109797] When the Use Local Authentication by Default (OIDCDefaultLocal) login window preference is set to true, the Shutdown and Restart buttons now display at the button of the screen when Jamf Connect first loads.
[JC-3808] When the Use Passthrough Authentication (OIDCUsePassthroughAuth) login window preference is set to true, the login window no longer displays a step indicator if there is only one step required.

Key Technical Content

[PI109860] If your IdP is Azure or a hybrid integration and you configure the Discovery URL (OIDCDiscoveryURL) login window preference or the Discovery URL (Discovery URL) menu bar app preference, ROPG now works, and you no longer get an error message.
[PI109787] Password synchronization no longer fails when a user connects their mobile active directory (network) account with their IdP account using Jamf Connect's local account migration workflow.
[JC-3749] It is now easier for potential Jamf Connect customers to uninstall the Jamf Connect test file.
[JC-3735] Only one Jamf Connect menu bar app now launches, rather than two, when Jamf Unlock is enabled. This results in only one Jamf Connect icon in the menu bar rather than two.
[PI109938] When Jamf Connect is deployed automatically via Jamf Pro, user's credentials are saved in their login keychain, so they no longer receive a keychain error. Jamf Connect no longer looks for an existing keychain item in the context of the _appstore user's home directory rather than the user who is logged in and running the app.
[JC-3910] If a user has the menu bar app open and loads the launch agent, all instances of the menu bar app are now killed so that when the system relaunches the app, only one copy is running. The second instance no longer kills itself and relaunches.
[PI009255] When Jamf Connect is configured to use Kerberos authentication, users may now change their passwords on computers without a Kerberos preferences plist or with an old Kerberos preferences plist (e.g., from being previously bound to an Active Directory domain). While resolved in version 2.7.0, this issue persisted in versions 2.8.0 and 2.9.0.
[PI102789] When a user disconnects from their VPN/internal network and attempts to change their password using Jamf Connect menu bar app's change password feature, they're no longer presented with a Kerberos password change window that fails to change their password since the Kerberos realm is unreachable. Instead, they're presented with a web interface window where they can change their IdP password.

Product Documentation

For more information, including Release Notes, please see the Jamf Connect Administrator Guide.

Thank you!

The Jamf Connect team

sjlo · ‎05-04-2022

We have FileVault enabled at first Login, using Jamf Pro config profile, not the Jamf Connect Login profile.
Updated to 2.12.0, and now the screen goes black after entering the IdP credentals. The "enable FileVault" pops-up on the black screen. Press OK, and FV does it thing, the screen goes black again, and after 40 seconds the Desktop appears. If I set the FV to enable at logout, this does not happen.

When using 2.11, we can see the backgroud image as defined in the Jamf Connect Login profile, and there is a progress bar that says something like "we are creating your account"

Basholding · ‎05-04-2022

Users that updates to 2.12.0 are getting a pop-up (from the Jamf menu item) to re-login with there Azure credentials but get all the error:

Incorrect network username or password. Try again.
Error from request to URL: https://login.microsoftonline.com/7675ce5b-......

ERROR: Unknown error. Message: AADSTS900144: The request body must contain the following parameter: 'resource'.

Trace ID: e5c06e8c-2706-.....

Correlation ID: 6dfccc4e-e8a3-.....

Timestamp: 2022-05-04 13:45:00Z, STATUS: 400

They enter the correct password, but the login message keeps coming.

How do we solve this?

jxxsmith · ‎05-04-2022

We are having the exact same problem. Currently, we are rolling users back to 2.11 and that is getting them working again. Wondering if there is an update to the config needed that we are not aware of.

DaneAbernathy · ‎05-04-2022

We also got this error message. I had to unscope deploying any version of JC in the Global settings, then rescope 2.11, you can't downgrade so this won't fix it fully. So then I built a policy that deployed the JC uninstaller and JC 2.11 installer to reinstall 2.11.

I think I have narrowed down the issue to setting Azure as the provider, if it is changed to Custom, it will work. At least so far in my testing.

Basholding · ‎05-04-2022

Hey @jxxsmith, what did you do to rollback to 2.11? If we do it in Jamf Pro in the Jamf Connect Deployment and Update Settings it keeps giving the status 'Pending'. I think rollback is not supported in there.
I also tried to follow the possible fix but that is not working for us: Jamf Connect Error Codes - Travelling Tech Guy
Search for error: AADSTS900144

jxxsmith · ‎05-04-2022

I got this from Slack Admin Connect Channel and it has worked for us without having to rollback.

For anyone seeing this issue with error code AADSTS900144 - if you are using Azure as your identity provider, do NOT define OIDCDiscoveryURL or ROPGDiscoveryURL. Use the default Azure discovery URL’s.

Microsoft will be deprecating the v1 endpoint for the discovery URLs soon. 2.12 is using the new v2 discovery URLs.

If you absolutely must define the discovery URL, use a format like the following:
https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration

Note the v2.0 in the URL. All I did was edit out existing COnfig and added a v2.0 and updated all effected users.

Basholding · ‎05-04-2022

Thank you for your reply!

We are using Azure as the provider in the PLIST only we have not defined the OIDCDiscoveryURL and ROPGDiscoveryURL.
But do we need to set this anyway? Because I read in the last part of your post your organisation has defined this?

Once again thank you for helping.

sjlo · ‎05-05-2022

We have the same setup; Azure and no OIDCDiscoveryURL and ROPGDiscoveryURL defined.
We're not getting the error AADSTS900144 or anything, except for an issue with black login backgroud, the IdP login works as expected.

LeafarM · ‎05-05-2022

We have also no OIDCDiscoveryURL or POPGDiscoveryURL defined but getting this error.

Im still searching for a working solution to avoid rollback.

suleymantwana · ‎05-04-2022

Two main issues after upgrading to JC 2.12:
1 - JC Finder menu showing negative password expiry date initially until JC is restarted
2 - Login background turning black and overwriting the CP's custom settings

sjlo · ‎05-05-2022

Regarding issue 2, as we're seing this too. It seems to be related to the FileVault config profile, at least for us it is.

suleymantwana · ‎05-05-2022

We're not rolling out version 2.12 to our production environment. Two glitches too far!

sjlo · ‎05-05-2022

Same here, I only have it on test for now...

jfgocobachi · ‎05-18-2022

I am getting ROPG errors - I rolled back to 2.11.0. I created a rollback policy that runs the Uninstall pkg, then runs the 2.11.0 pkg. Also noted that if re-installing I had to add a sudo killall "Jamf Connect" command so it does not interrupt the user. I did post to our user base of Jamf Connect will appear for a second but then it will end and all that is needed is to relaunch it. It was an ugly method, but it was the only thing I can do in a situation in which a multitude of users was impacted with the 2.12.0 release.

Basholding · ‎05-05-2022

How can we downgrade to 2.11? If we deploy the .PKG in a policy it says the 2.11 package is installed but version 2.12 is still on the system.
If we do it in Jamf Pro in the Jamf Connect Deployment and Update Settings it keeps giving the status 'Pending'. I think rollback is not supported in there.

LeafarM · ‎05-05-2022

Hi

I just found this script to uninstall JC... testing now but looks good. As soon as there is no JC it should install the tageted version in Jamf Applications.

Basholding · ‎05-05-2022

Hi @LeafarM , I don't see any script in your post.
Thank you anyway for helping!

LeafarM · ‎05-05-2022

https://github.com/jamf/JamfConnectUninstall

PieQuest · ‎08-18-2022

If anyone is having issues with Azure after upgrading to 2.12-2.14, please check out my post here.

@LeafarM I was getting the AADSTS900144 error and removed my discovery url properties as well. That just made my error go generic, with Azure saying the login was successful.

TL;DR: you need to remove your Client Secret & Client Secret (Hybrid) properties as well.

LeafarM · ‎08-19-2022

I finally just set the error on the Password Verification Sucess Codes list. I know this ist not the best way but it worked aswell ;). I ll give your solution a try, thank you!

Jamf Nation Community

Jamf Connect 2.12.0 Now Available